dotnet-security
Safeguard articles tagged "dotnet-security" — guides, analysis, and best practices for software supply chain and application security.
24 articles
Most vulnerable .NET libraries report
Safeguard's H1 2026 analysis of 41,000+ .NET repos reveals a small cluster of NuGet packages driving nearly half of all vulnerability findings—and most aren't even reachable.
ASP.NET Core vulnerability trends
A data-driven look at ASP.NET Core's recurring CVE patterns — DoS in Kestrel/SignalR, deserialization bugs, and NuGet supply chain risk — and how to triage what matters.
NuGet dependency confusion risk report
NuGet's default feed-resolution behavior keeps dependency confusion risk elevated across .NET orgs. Here's what the incident history shows, and how to close the gap.
SQL Injection Prevention in C# with Entity Framework/LINQ
EF Core's LINQ layer parameterizes queries by default, but FromSqlRaw, ExecuteSqlRaw, and dynamic sort columns still open real SQL injection risk in .NET apps.
XXE Prevention in C# by Disabling XmlResolver/DTD Processing
XXE in C# lives at the XmlResolver and DtdProcessing settings. Here's how .NET's defaults evolved since 2014 and exactly how to lock down XmlDocument, XmlTextReader, and XmlReaderSettings.
CVE-2022-29148: Denial of service in .NET Kestrel HTTP stack
CVE-2022-21986 is a CVSS 7.5 denial-of-service flaw in .NET Kestrel's HTTP/2 and HTTP/3 handling. Here's what's affected and how to remediate it.
CVE-2023-29331: Remote code execution in .NET via crafted...
CVE-2023-29331 lets a crafted .NET assembly trigger remote code execution during loading. Here's what's affected, the severity context, and how to remediate it.
CVE-2024-0056: Security bypass in Microsoft.Data.SqlClient
CVE-2024-0056 lets attackers bypass TLS protections in Microsoft.Data.SqlClient/System.Data.SqlClient. Affected versions, remediation, and masking as defense in depth.
CVE-2024-0057: Certificate validation bypass in .NET X.50...
CVE-2024-0057 lets attackers forge X.509 certificates that bypass .NET's chain validation, risking spoofing in TLS and code-signing flows.
CVE-2018-1285: XXE in Apache log4net
CVE-2018-1285: Apache log4net before 2.0.10 fails to disable external XML entities, enabling XXE attacks via config files. Impact, fix, and detection.
How Snyk's Visual Studio extension scans .NET solutions f...
How Snyk's Visual Studio extension resolves .NET dependency trees, matches NuGet packages against its vulnerability database, and surfaces results in-editor.
The Moq Vulnerability: What Happened and What to Do
The Moq incident wasn't a classic CVE — it was a popular .NET mocking library quietly bundling a data-collection dependency in a routine version bump, and it's a case study in why supply-chain monitoring has to watch behavior, not just version numbers.